Major data leak at Valley News Live exposes 1.8 million records of job applicants

In a significant data security breach, an unprotected dataset containing 1.8 million records, including over a million CVs, has been discovered online, potentially exposing sensitive information of job applicants to Valley News Live, a Fargo, North Dakota-based television station. The discovery was made by cybersecurity researchers at CyberNews, who identified the dataset on August 31, 2024. The findings raise concerns about the risks of identity theft, social engineering attacks, and other cyber threats for individuals whose personal information was exposed.

The dataset, which is believed to originate from Valley News Live’s job portal, includes personally identifiable information (PII) such as full names, phone numbers, email addresses, home addresses, social media links, and detailed employment and education histories. The job portal reportedly attracts up to 250,000 monthly visitors, making it a significant platform for job seekers in the region. Researchers noted that the exposed CVs span several years, with records dating back to 2017 and extending to 2024, indicating that many individuals could be affected.

Valley News Live, owned by Gray Media, is part of one of the largest broadcasting networks in the United States. Gray Media operates 180 stations across 113 markets, positioning it as the third-largest broadcaster in the country. The exposure of such a substantial volume of sensitive data from a subsidiary of a major media conglomerate underscores the potential scale and severity of the breach.

CyberNews researchers emphasized the risks associated with the leaked data, stating, “The exposed data includes highly sensitive personal identifiers, creating numerous attack vectors for cybercriminals, where personal information can be used to create synthetic identities or fraudulent accounts.” The researchers warned that the detailed PII in the CVs could enable malicious actors to carry out targeted social engineering attacks, phishing schemes, or even identity theft.

The dataset was discovered on an unprotected server, highlighting the importance of robust cybersecurity measures for organizations handling sensitive information. CyberNews disclosed the breach to Valley News Live on September 17, 2024, nearly three weeks after the initial discovery. It remains unclear whether the dataset was accessed or misused by unauthorized parties during its exposure period.

Individuals who have applied for jobs at Valley News Live or believe their information may have been compromised are advised to remain vigilant. Cybersecurity experts recommend monitoring financial accounts for suspicious activity, being cautious of unexpected communications, and considering identity theft protection services. Additionally, affected individuals should update their passwords and enable two-factor authentication on online accounts to mitigate potential risks.